Operations

Know How To Handle Credit Cards The Right Way

Jim Luff
Posted on April 7, 2014

If you haven’t heard of PCI Compliance yet, you will soon. The Payment Card Industry (PCI) has formed a Data Security Standard that requires any organization that accepts, acquires, transmits, processes, or stores data containing payment card information to guard the privacy of that information.  

Before the end of the year, you will need to complete an online Self-Assessment Questionnaire (SAQ) to become certified to handle the credit card data. Failure to comply will cause you to lose the ability to take credit cards. This is a serious matter.

What You Need to Know

The PCI Data Security Standard, commonly referred to as “PCI,” includes multiple checkpoint areas including physical security management of your facility, policies on when and how you process cards, and procedures such as how the data is handled once the charge has been processed. It also includes how your computer network is set up both in-house and for any outside access allowed. If you are using reservations software that processes the credit card during the reservation process, the software itself must be secure from hackers. The last components include monitoring the status of your network for viruses and testing your system through outside hack attempts in what is known as a penetration test. Your credit card processor can provide a link to test your vulnerability.

The Whole Number

One of the basic requirements of compliance is to protect the credit card number from ever being displayed as a whole number. Only the last four or five digits should be visible after a transaction. You are NEVER allowed to handwrite a whole credit card number on any document. Likewise, no document that is printed including credit card receipts, trip tickets, confirmations or any other document may contain the whole number.

Who Sees It?

The fewer people who see the whole credit card number and have access to the full number by computer look-up, the better. The only person in your organization who needs the whole number is the person reconciling credit card transactions to bank deposits. Even in that case, the data only should be accessed in a discrepancy. This person should be the same person who handles credit card disputes to minimize the number of people with access.

Transaction Process

Firm policies should be in place on the handling of the credit card. While verification of identity to match the credit card should be a top priority, PCI Compliance is intended to protect data breaches, not identity theft. Although, stolen credit card information may result in identity theft. Once a credit card is entered into reservations software and processed, from that point on the credit card number displayed to the employee should only contain the last four or five digits and not be accessible to the employee ever again.

Data Storage

This is probably the most challenging concern for merchants. Most of us lack the computer knowledge to know if our network is completely secure or even how credit card numbers are stored on a network server. If you have the ability to create a new reservation for a client and his credit card data is automatically transferred to a new reservation, you are storing the number in your office computer. These transactions are processed through the Internet meaning your computer is connected to the Internet and vulnerable to attack.

Related Topics: credit card compliance, credit card processing, industry regulations, New Operator, operations

Jim Luff Contributing Editor
Comments ( 1 )
  • Jan Harris

     | about 4 years ago

    Do you know what the requirements are in the case of a cloud based system with third party processing, like Limo Anywhere? I have not been able to determine if we are truly "SAQ A" eligible, since we are a "card not present" merchant. SAQ A merchants do not store cardholder data in electronic format, do not process or transmit any cardholder data on their systems or premises, and validate compliance by completing SAQ A and the associated Attestation of Compliance, confirming that: 1) Your company accepts only card-not-present (e-commerce or mail/telephone-order) transactions; 2) Your company does not store, process, or transmit any cardholder data on your systems or premises, but relies entirely on a third party(s) to handle all these functions; 3) Your company has confirmed that the third party(s) handling storage, processing, and/or transmission of cardholder data is PCI DSS compliant; 4) Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically; 5) Your company does not store any cardholder data in electronic format. We do "transmit" by entering the card data on the LA portal...otherwise we don't store anything. Any ideas?

More Stories
Article

How To Get Clients To See Value In Your Rates

NOV. LCT: We fear our own prices when comparing ourselves to TNCs, but we don’t compete with them any more than Marriott does with a Motel 6. Learn how to justify your rates without guilt.

News

2018's Luxury Travel Trends

Among the highlights for next year is a focus on far-flung destinations along with international trips of two weeks or more.

Article

The Art Of Sales

NOV. LCT: In the battle to obtain new clients and retain loyal ones, only those who know the best ways to reach, connect with, and educate them will survive.

Article

How To Handle Conflicts Of Interest

NOV. LCT: Forming relationships with your customers is a vital part of retaining them. But how do you ensure you and your employees never cross the line of professionalism?